None of this takes away from my main point that **MAIL THEFT IS HUGELY UNDERREPORTED** either because (1) homeowners don’t realize their mail has been stolen (I imagine a large percentage of the 65% of individuals who don’t know how their information was compromised had their mail stolen) or (2) homeowners don’t know who to contact if they suspect their mail has been stolen. I have read countless blogs of individuals complaining they find their junkmail discarded on the street and suspect someone has been rifling through their mail… but they don’t report this to the authorities… police or USPIS.

The failure to report ID theft is across the board as I’m sure you know, not just for mail theft… so most experts agree the FTC values largely underestimate the ID theft problem numbers as a whole…

Unlike with stolen mail, I imaging most individuals who have their information compromised via large corporate data breaches, they are AWARE that their info was compromised b/c the company has a legal obligation to inform the consumer. I have heard of many instances of this happening.. sometimes banks will just reissue cards and account#s without even asking if the breach was large enough.. I guess thats damage control of sorts..

ANyway, I’m glad you have brought this information to light though, I think its important for consumers to be aware of all the ways their ID info can be compromised so they can cover all their bases.

Thanks for the interesting link. The study you referred to says that:

• -Only 35% of the victims knew how their data had been accessed.
• -OF THOSE 35%, only 6% cited “stolen paper mail” (compared with fully 19% that indicated “online” or “data breach”).
• -This means that, according to the study you referenced, only 2.1% of identity theft is known to arise from “mail stolen from mailboxes.” (And that percentage was halved the following year, according to Javelin’s 2009 consumer fraud survey report)
• -Fully 65% of people did not know where their identity theft originated. This isn’t surprising, because:
• -Massive data breaches are not rare. They are, in fact, all too common. Corporations and government have NOT been taking appropriate security precautions, which is partly why security best practices such as PCI/DSS represent such an enormous challenge.
• -Here are a few listings of reported data loss incidents (note that the vast majority relate to thefts of centralized, electronic data):

  Data Loss DB: Latest incidents
  Data Loss DB: Largest incidents
  SC’s Data Breach Blog/

• -And for illustration, here is an example from last summer:

“Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed…

“Mr. Gonzalez and several in his cohort drove around and scanned the wireless networks of retailers to find security holes — known as “war driving,” according to prosecutors. Once the thieves identified technical weaknesses in the networks, they installed so-called sniffer programs, obtained from collaborators overseas.”

“Those programs tapped into the retailers’ networks for processing credit cards and intercepted customers’ PINs and debit and credit numbers that were stored there. The thieves then spirited that information away to computers in the United States, Latvia and Ukraine…”

“‘Computer networks and the Internet are an indispensable part of the world economy. But even as they provide extraordinary opportunities for legitimate commerce and communication, they also provide extraordinary opportunities for criminals,’ said Michael B. Mukasey, the United States attorney general, at a news conference in Boston to announce the indictments.” – The New York Times, August 5 2008

For an example of millions of credit card account numbers being stolen through the mail… i can’t give you that. but how about thousands of people’s accounts taken for millions of dollars? http://www.nytimes.com/2000/06/08/nyregion/2-charged-in-1.5-million-mail-theft-scheme.html?sec=&spon=
“2 Charged in $1.5 million mail theft scheme: A young couple used mail pilfered from THOUSANDS of homes in Queens and Long Island neighborhoods to steal more than $1.5 million from banks and credit card companies, prosecutors said yesterday.”

Can you imagine someone trying to steal 100 million credit card numbers from a large city mail processing center all at once? It wouldn’t be subtle at all. On the other hard, virtual theft of over 100 million credit card numbers happened recently with Heartland, and it took them a while to figure it out. As Dr. Dan Geer once pointed out, on the Internet you’re only 150 milliseconds away from every psychopath on the planet. The risk involved in stealing data virtually is far less than it is for theft in the real world, and they payoffs are greater.

Credit card companies offer their own Identity Theft Protection services, such as:
Citi’s IdentityMonitor
Discover’s Identity Theft Protection
… and many others.

Lots of credit card companies do offer low or zero liability for identity theft, but once your information has been stolen it can be used to cause you headache in ways far outside the credit card company’s control. Health insurance fraud is a good example.

Online banking is convenient, but security protections right now are not very effective. There are a few companies out there that require hardware tokens and two-factor authentication, but in the United States that’s the exception, not the rule. People seem to have just accepted that theft and lack of privacy are the price of convenience, and rather than invest in preventative solutions, credit card companies are offering response services and making a killing.

Mastercard and Visa both have a “zero liability” policy for unauthorised transactions. It is by far a better way to conduct transactions online compared to other means.

If your argument is that online merchants can store credit card details rather than merely forwarding them to a payment gateway, then I fail to see why the average credit card user shouldn’t take steps to avoid their paper mail being intercepted by an unscrupulous person.

And in what world does pushing online statements constitute increasing “identity theft protection sales”? And what are these “identity theft protection” products you speak of? Do you allege Citibank to have a financial stake in them too?

It is quite interesting that you accuse Citibank of scaremongering, yet all your article appears to do is raise unfounded allegations at a company, which, for the most part, appears generally concerned with the inherent insecurity of delivering paper mail to (what I would assume to be, in the majority of cases) unsecured mailboxes.

If you’re a target for identity fraud, it seems that your mailbox would be a fantastic way to acquire information to proceed. Do you really wish to dispute this?